DataStax Enterprise 4.5

Preparing server certificates

Generate SSL certificates for client-to-node encryptions or node-to-node encryption.

This topic provides information about generating SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.

All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node and does not require signing by a trusted and recognized public certification authority.

Procedure

To prepare server certificates:

  1. Generate the private and public key pair for the nodes of the cluster leaving the key password the same as the keystore password:
    keytool -genkey -alias dse_node0 -keyalg RSA -keystore .keystore
    For this prompt What is your first and last name?, enter the hostname or the fully qualified domain name (FQDN) of the Cassandra node for which you are generating the keys. The values that you enter for the first and last name are used to set the certificate CN (Common Name) that is used for server authentication by the client.
  2. Repeat the previous step on each node using a different alias for each one.
  3. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.
    keytool -export -alias dse -file dse_node0.cer -keystore .keystore
  4. Add the certificate of each node to the truststore of each node, so nodes can verify the identity of other nodes.
    A prompt for setting a password for the newly created truststore appears.
    keytool -import -v -trustcacerts -alias dse_node0 -file dse_node0.cer -keystore .truststore
    keytool -import -v -trustcacerts -alias dse_node1 -file dse_node1.cer -keystore .truststore
    . . .
    keytool -import -v -trustcacerts -alias dse_nodeN -file dse_nodeN.cer -keystore .truststore
  5. Make sure .keystore is readable only by the DSE daemon and not by any user of the system.
Loading Search